Powershell Execution Policy Issue when running AllSigned

s.harris · 30 September 2013 13:08

In our environment we are looking to a Powershell Execution Policy of AllSigned, when running Octopus with this set by GPO I get the following error
2013-09-24 15:29:30 INFO Calling PowerShell script: 'D:\Octopus\Applications\gta Auto POC\EWClientBinaries\17.37.0-alpha02_1\PreDeploy.ps1’
2013-09-24 15:29:36 INFO Unable to modify the execution policy.
2013-09-24 15:29:56 INFO ERROR: & : File D:\Octopus\Applications\gta Auto POC\EWClientBinaries\17.37.0-alpha02_1\PreDeploy.ps1 cannot be loaded because you have elected to not run this software now.
2013-09-24 15:29:56 INFO ERROR: At line:1 char:3
2013-09-24 15:29:56 INFO ERROR: + & 'D:\Octopus\Applications\gta Auto POC\EWClientBinaries\17.37.0-alpha02_1\PreDe …
2013-09-24 15:29:56 INFO ERROR: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2013-09-24 15:29:56 INFO ERROR: + CategoryInfo : SecurityError: ( [], PSSecurityException
2013-09-24 15:29:56 INFO ERROR: + FullyQualifiedErrorId : UnauthorizedAccess
2013-09-24 15:29:57 DEBUG Script ‘D:\Octopus\Applications\gta Auto POC\EWClientBinaries\17.37.0-alpha02_1\PreDeploy.ps1’ completed with return code -12.
2013-09-24 15:29:57 ERROR Octopus.Tentacle.Deployment.Integration.PowerShell.ScriptFailureException: PowerShell script ‘D:\Octopus\Applications\gta Auto POC\EWClientBinaries\17.37.0-alpha02_1\PreDeploy.ps1’ returned non-zero exit code: -12. Deployment terminated.
at Octopus.Tentacle.Deployment.Conventions.PowerShellConvention.RunScript(String scriptName, ConventionContext context) in c:\w\e6923628be6eaf72\source\Octopus.Tentacle\Deployment\Conventions\PowerShellConvention.cs:line 22
at Octopus.Tentacle.Deployment.Conventions.PowerShellPreDeployScript.Install(ConventionContext context) in c:\w\e6923628be6eaf72\source\Octopus.Tentacle\Deployment\Conventions\PowerShellPreDeployScript.cs:line 15
at Octopus.Tentacle.Deployment.DeploymentController.RunInstallConventions(ConventionContext context) in c:\w\e6923628be6eaf72\source\Octopus.Tentacle\Deployment\DeploymentController.cs:line 122
at Octopus.Tentacle.Deployment.DeploymentController.Execute(PackageMetadata package, VariableDictionary variables, IActivityLog log) in c:\w\e6923628be6eaf72\source\Octopus.Tentacle\Deployment\DeploymentController.cs:line 64
2013-09-24 15:29:57 ERROR Running rollback conventions…
2013-09-24 15:29:57 DEBUG Conventions will be run in the following order:
2013-09-24 15:29:57 DEBUG - PowerShellDeployFailedScript
2013-09-24 15:29:57 DEBUG Looking for PowerShell scripts named DeployFailed.ps1
2013-09-24 15:29:57 INFO Calling PowerShell script: 'D:\Octopus\Applications\gta Auto POC\EWClientBinaries\17.37.0-alpha02_1\DeployFailed.ps1’
2013-09-24 15:30:03 INFO Unable to modify the execution policy.
2013-09-24 15:30:05 INFO ERROR: & : File D:\Octopus\Applications\gta Auto POC\EWClientBinaries\17.37.0-alpha02_1\DeployFailed.ps1 cannot be loaded because you have elected to not run this software now.

I understand a fix was rolled out to deal with the Execution Policy being set by GPO but that was when running Remote Signed rather than Allsigned. Can you please advise how to deal with this new error and if you need anything else.

Thnaks
Sam

Paul_Stovell · 6 October 2013 12:05

Hi Sam,

This isn’t something we’ve tested with yet, we’ll have to look into it and get back to you.

Paul

s.harris · 22 October 2013 13:53

Thanks Paul,

Do you have an eta on this?

Regards
Sam

s.harris · 8 July 2014 17:41

Hi,

Was there ever any update on this please?

Regards
Sam

Vanessa_Love · 9 July 2014 00:31

Hi Sam,

I’m really sorry no one got back to you any sooner about this.
I have created a GitHub issue that you can track here, and I might light a fire or two and see if I can get some movement on this.

Sorry again!
Vanessa

s.harris · 9 July 2014 08:13

Thanks for this much appreciated.

Sam

Paul_Stovell · 30 July 2014 11:10

Hi Sam,

Sorry for the delay here. I’ve done some research on this but it looks like there’s not much we can do. Your group policy says “Any PowerShell script must be signed by a trusted publisher”. When we run the scripts, we try to set the policy to Unrestricted, which normally works but in this case the group policy prevents it.

We can’t sign the scripts before running, and even if your scripts were signed, we generate certain bootstrap scripts that we wouldn’t be able to sign. At this stage I’d say a GP of ‘AllSigned’ isn’t compatible with how Octopus needs to work.

I know that’s probably not the answer you were hoping for, but let me know if there’s anything else we can do.

Paul

Jon_Govednik · 18 June 2015 20:37

I find it hard to believe that Octopus cannot sign its scripts, even bootstrap scripts, before execution (or sending them to the tentacle/agent to be executed) as long as a Script Signing certificate were installed on the Octopus server.

Can someone explain why this would not be feasible?

Vanessa_Love · 22 June 2015 12:04

Hi Jon,

Thanks for getting in touch! Having a chat about what we could do here, it isn’t that it’s not feasible. No one has asked for it before, and it won’t work now.
After a very quick discussion it could work even with our bootstrapping scripts if it used the Tentacle certificate that we already have.
I’ve created a UserVoice suggestion to see how popular this idea would be: http://octopusdeploy.uservoice.com/forums/170787-general/suggestions/8509138-allow-octopus-to-run-signed-powershell-scripts

So please go and vote and comment and hopefully it will gain some traction.

Vanessa